Keys not trusted

Adrian 'Dagurashibanipal' von Bidder avbidder@fortytwo.ch
Tue May 6 07:49:02 2003 

--Boundary-02=_m00t+Akvv8RzXuO
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Description: signed data
Content-Disposition: inline

On Tuesday 06 May 2003 02:03, Wolfgang Bornath wrote:
> Hi,
>
> Being fairly new in this I joined this list and received some messages
> by people who signed their messages. I always imported the keys (using
> the gpg option --auto-key-retrieve) and kmail tells me
> "Message is signed by XY (blahblub) (Key-ID: 0x12345678).
> Signature is valid but the key is not trusted."

This is not a bad thing in itself - it just means that you do not absolutel=
y=20
know that you have the person's true public key. It could be just somebody=
=20
posting a public key under their name.

> When I want to send a private mail to somebody like that and I want to
> encrypt the text I see the list of my pubring but all imported keys are
> marked red and I cannot encrypt.
> Only my own public key is marked green and I can use it to send
> encrypted mails to myself (Big Deal!

Hmm. I think kmail has an option to allow you to send encrypted mail to=20
untrusted keys. However, it doesn't make sense since you don't really know=
=20
who you're sending an encrypted mail to. (Of  course, for casual use, you c=
an=20
usually trust that a published email address if used for some time on maili=
ng=20
lists with always the same key does correspond to the real person. And, if=
=20
you look at their public key and there's many signatures on the key from=20
other people on the mailing list or other people you know, it's a good chan=
ce=20
that the key is actually genuine. It's just not that secure if you assume=20
that there's an actual enemy around trying to steal somebody's identity).

> I signed one of those public keys because I know the person and my sig
> is listed but still the same.

It is good practice to really carefully check that you really have the righ=
t=20
key (and, if you don't know the person good enough, of course also that you=
=20
have the right person). Personally, I check the fingerprint with people I=20
know. Just a little paranoia there, but with the web of trust idea you have=
=20
other people relying on you doing this check carefully, and an error affect=
s=20
not only you but potentially lots of people.

> Could someone explain or point me into the right direction?

You need to build a web of trust - get your key signed by other GPG/PGP use=
rs,=20
and sign their key. http://biglumber.com may list some people in your area,=
=20
and there's also a keysigning mailing list (search the archives or google, =
I=20
don't have the address handy right now) where you could ask if there's some=
=20
people in your area. Then you also need to assign trust values to the keys =
=2D=20
you assess how much you trust other people to be careful when they sign a k=
ey=20
=2D by running gpg --update-trustdb.

I'd reccmmend that you read the documentation on http://gnupg.org, especial=
ly=20
the chapters about key signing and the Web of Trust:=20
http://www.gnupg.org/gph/en/manual.html; the interesting bits are in chapte=
r=20
3 and 4.

greets
=2D- vbi

=2D-=20
Available for key signing in Z=FCrich and Basel, Switzerland
                     (what's this? Look at http://fortytwo.ch/gpg/intro)

--Boundary-02=_m00t+Akvv8RzXuO
Content-Type: application/pgp-signature
Content-Description: signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iKcEABECAGcFAj63TSZgGmh0dHA6Ly9mb3J0eXR3by5jaC9sZWdhbC9ncGcvZW1h
aWwuMjAwMjA4MjI/dmVyc2lvbj0xLjMmbWQ1c3VtPTE0Y2E2MTZmMTQ2ODJhODJj
YjljYzI1YzliMzRhMTBkAAoJEIukMYvlp/fWdgQAn0lPtPt2aH/jXMOkjRMMQLNW
l4yCAKDBFsiaYbCPa0ZO7WdywtOlN9Us5Q==
=bbH3
-----END PGP SIGNATURE-----
Signature policy: http://fortytwo.ch/legal/gpg/email.20020822?version=1.3&md5sum=14ca616f14682a82cb9cc25c9b34a10d

--Boundary-02=_m00t+Akvv8RzXuO--